The WannaCry Malware Attack - NiSystems blog

Published:2017-05-16 10:22 AM by
Izak van der Sandt

On May 12, 2017, many organizations around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Microsoft is working to ensure they are taking all possible actions to protect their customers. Below we have given further details of the threat and steps every individual and business should take to stay protected. Additionally, Microsoft is taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

In March, Microsoft released a security update which addresses the vulnerability that these attacks are exploiting. Unfortunately, the malware appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so. Microsoft anti malware telemetry constantly monitors for such threats, and alerted us to this attack. These systems gave us the visibility and context around the attach, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, Microsoft was able to protect many up-to-date systems against this malware.

Steps to prevent and protect against this threat

To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigation built into the latest versions of Windows.

We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

Attack vector

A ransomware threat does not normally spread so rapidly. Threats like WannaCrypt typically leverage social engineering or emails as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators incorporated publicly-available exploit code for the patched SMB EternalBlue vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server, was fixed in security bulletin MS17-010, released on March 14, 2017.

WannaCrypt’s spreading mechanism is borrowed from well-knownpublic SMB exploits, which armed this regular ransom-ware with worm-like functionalities, creating an entry vector in machines still unpatched even after the fix had become available.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios we believe are highly possible for this ransomware family:

Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit

Infection through SMB exploit when an unpatched computer can be addressed in other infected machines

Dropper

The threat arrives as a dropper Trojan that has the following two components:

Ccomponent that tries to exploit the SMB EternalBlue vulnerability in other computers

Ransomware known as WannaCrypt

The dropper tries to connect the following domain using the API InternetOpenUrlA():

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If connection is successful, the threat does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the dropper proceeds to drop the ransomware and creates a service on the system.

In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files.

The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

WannaCrypt ransomware

The ransomware component is a dropper that contains a password-protected archive in its resource section. The document encryption routine and the files in the .zip archivecontain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”.

WannaCrypt encrypts all files it finds and renames them by appending “.WNCRY” to the file name. For example, if a file is named “picture.jpg”, the ransomware encrypts and renames to “picture.jpg.WNCRY”.

This ransomware also creates the file “@Please_Read_Me@.txt” in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies by running the following command:

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

Spreading capability

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which normally can be observed by SecOps personnel, as shown below.

The Internet scanning routine randomly generates octets to form the IPv4 address and targets that IP to attempt exploitation of CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode which seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

Microsoft Malware Detection and Removal Tools

Use the following free Microsoft tools to detect and remove this threat:

Should you wish to be unsubscribed from future email or mobile (SMS) campaigns from us, please provide your details below.
Note that you will be unsubscribed from all the campaign types for which you provide details, so if you enter both your email address and mobile number then you will be unsubscribed from all our communications.